kottke.org posts about security
Soon, new iPhone owners will be able to use a fingerprint to access a phone or buy something on iTunes. Apple's introduction of this fingerprint technology adds a nice layer of security and a bit of convenience for those whose fingers are too tired to type in a four-digit password. But soon, we will be interacting with a lot more devices that have no screens, and biometrics will be the logical way to secure our data. Companies have already developed ways to identify you, from your fingerprints to your heartbeat. And while these methods certainly seem more effective than simple (and often easy-to-hack) passwords, it's a little worrisome that we'll essentially be sharing even more personal data, right down to our person. In order to give us the promise of more security, companies will want to know even more about us. It feels like we've passed a point of no return. So much about us is stored in the cloud (our finances, our communication, our social lives) that we can't turn back. The only way to protect what you've shared so far is to share some more. Protect your data with a password. Protect the password with some secret, personal questions. Protect all of that with your fingerprint or your heartbeat. Before long, you'll have to give a DNA swab to access a collection photos you took yourself. It's a trend worth watching. The last decade was about sharing. The next decade will be about protecting.
Edward Snowden's leak of NSA documents keeps paying dividends. The latest report (in the Guardian, the NY Times, and Pro Publica) alleges that the NSA has cracked or circumvented many of the internet security protocols designed to keep communications private from third parties. From the Pro Publica piece:
The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.
Many users assume -- or have been assured by Internet companies -- that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.
Cryptographer Matthew Green speculates on exactly how the NSA might have achieved these results and what the implications are.
Probably the biggest concern in all this is the evidence of collaboration between the NSA and unspecified 'telecom providers'. We already know that the major US (and international) telecom carriers routinely assist the NSA in collecting data from fiber-optic cables. But all this data is no good if it's encrypted.
While software compromises and weak standards can help the NSA deal with some of this, by far the easiest way to access encrypted data is to simply ask for -- or steal -- the keys. This goes for something as simple as cellular encryption (protected by a single key database at each carrier) all the way to SSL/TLS which is (most commonly) protected with a few relatively short RSA keys.
If you're concerned about the privacy of your communications, security expert Bruce Schneier has some suggestions for keeping secure.
1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.
2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections -- and it may have explicit exploits against these protocols -- you're much better protected than if you communicate in the clear.
In a book called Three Felonies A Day, Boston civil rights lawyer Harvey Silverglate says that everyone in the US commits felonies everyday and if the government takes a dislike to you for any reason, they'll dig in and find a felony you're guilty of.
The average professional in this country wakes up in the morning, goes to work, comes home, eats dinner, and then goes to sleep, unaware that he or she has likely committed several federal crimes that day. Why? The answer lies in the very nature of modern federal criminal laws, which have exploded in number but also become impossibly broad and vague. In Three Felonies a Day, Harvey A. Silverglate reveals how federal criminal laws have become dangerously disconnected from the English common law tradition and how prosecutors can pin arguable federal crimes on any one of us, for even the most seemingly innocuous behavior. The volume of federal crimes in recent decades has increased well beyond the statute books and into the morass of the Code of Federal Regulations, handing federal prosecutors an additional trove of vague and exceedingly complex and technical prohibitions to stick on their hapless targets. The dangers spelled out in Three Felonies a Day do not apply solely to "white collar criminals," state and local politicians, and professionals. No social class or profession is safe from this troubling form of social control by the executive branch, and nothing less than the integrity of our constitutional democracy hangs in the balance.
In response to a question about what happens to big company CEOs who refuse to go along with government surveillance requests, John Gilmore offers a case study in what Silverglate is talking about.
We know what happened in the case of QWest before 9/11. They contacted the CEO/Chairman asking to wiretap all the customers. After he consulted with Legal, he refused. As a result, NSA canceled a bunch of unrelated billion dollar contracts that QWest was the top bidder for. And then the DoJ targeted him and prosecuted him and put him in prison for insider trading -- on the theory that he knew of anticipated income from secret programs that QWest was planning for the government, while the public didn't because it was classified and he couldn't legally tell them, and then he bought or sold QWest stock knowing those things.
This CEO's name is Joseph P. Nacchio and TODAY he's still serving a trumped-up 6-year federal prison sentence today for quietly refusing an NSA demand to massively wiretap his customers.
You combine this with the uber-surveillance allegedly being undertaken by the NSA and other governmental agencies and you've got a system for more or less automatically accusing any US citizen of a felony. Free society, LOL ROFLcopter.
Update: For the past two years, the Wall Street Journal has been "examining the vastly expanding federal criminal law book and its consequences". (thx, jesse)
By now, you've likely heard of Edward Snowden, the former NSA contractor who leaked secret documents to the press regarding that agency's electronic surveillance activities. From Glenn Greenwald's excellent coverage for The Guardian, here are a few of the most interesting passages from interviews with Snowden.
From the moment he decided to disclose numerous top-secret documents to the public, he was determined not to opt for the protection of anonymity. "I have no intention of hiding who I am because I know I have done nothing wrong," he said.
Despite these fears, he remained hopeful his outing will not divert attention from the substance of his disclosures. "I really want the focus to be on these documents and the debate which I hope this will trigger among citizens around the globe about what kind of world we want to live in." He added: "My sole motive is to inform the public as to that which is done in their name and that which is done against them."
He has had "a very comfortable life" that included a salary of roughly $200,000, a girlfriend with whom he shared a home in Hawaii, a stable career, and a family he loves. "I'm willing to sacrifice all of that because I can't in good conscience allow the US government to destroy privacy, internet freedom and basic liberties for people around the world with this massive surveillance machine they're secretly building."
"All my options are bad," he said. The US could begin extradition proceedings against him, a potentially problematic, lengthy and unpredictable course for Washington. Or the Chinese government might whisk him away for questioning, viewing him as a useful source of information. Or he might end up being grabbed and bundled into a plane bound for US territory.
"Yes, I could be rendered by the CIA. I could have people come after me. Or any of the third-party partners. They work closely with a number of other nations. Or they could pay off the Triads. Any of their agents or assets," he said.
"We have got a CIA station just up the road -- the consulate here in Hong Kong -- and I am sure they are going to be busy for the next week. And that is a concern I will live with for the rest of my life, however long that happens to be."
He left the CIA in 2009 in order to take his first job working for a private contractor that assigned him to a functioning NSA facility, stationed on a military base in Japan. It was then, he said, that he "watched as Obama advanced the very policies that I thought would be reined in", and as a result, "I got hardened."
The primary lesson from this experience was that "you can't wait around for someone else to act. I had been looking for leaders, but I realised that leadership is about being the first to act."
"I carefully evaluated every single document I disclosed to ensure that each was legitimately in the public interest," he said. "There are all sorts of documents that would have made a big impact that I didn't turn over, because harming people isn't my goal. Transparency is."
And from a second piece with a straight-up interview:
Q: Why did you decide to become a whistleblower?
A: "The NSA has built an infrastructure that allows it to intercept almost everything. With this capability, the vast majority of human communications are automatically ingested without targeting. If I wanted to see your emails or your wife's phone, all I have to do is use intercepts. I can get your emails, passwords, phone records, credit cards.
"I don't want to live in a society that does these sort of things ... I do not want to live in a world where everything I do and say is recorded. That is not something I am willing to support or live under."
Q: What do the leaked documents reveal?
A: "That the NSA routinely lies in response to congressional inquiries about the scope of surveillance in America. I believe that when [senator Ron] Wyden and [senator Mark] Udall asked about the scale of this, they [the NSA] said it did not have the tools to provide an answer. We do have the tools and I have maps showing where people have been scrutinised most. We collect more digital communications from America than we do from the Russians."
Q: What is your reaction to Obama denouncing the leaks on Friday while welcoming a debate on the balance between security and openness?
A: "My immediate reaction was he was having difficulty in defending it himself. He was trying to defend the unjustifiable and he knew it."
Q: Washington-based foreign affairs analyst Steve Clemons said he overheard at the capital's Dulles airport four men discussing an intelligence conference they had just attended. Speaking about the leaks, one of them said, according to Clemons, that both the reporter and leaker should be "disappeared". How do you feel about that?
A: "Someone responding to the story said 'real spies do not speak like that'. Well, I am a spy and that is how they talk. Whenever we had a debate in the office on how to handle crimes, they do not defend due process - they defend decisive action. They say it is better to kick someone out of a plane than let these people have a day in court. It is an authoritarian mindset in general."
Both of these pieces are very much worth reading in entirety. Also worth a read is Timothy Lee's piece for The Washington Post, Has the US become the type of nation from which you have to seek asylum?
Four decades ago, Daniel Ellsberg surrendered to federal authorities to face charges of violating the Espionage Act. During his trial, he was allowed to go free on bail, giving him a chance to explain his actions to the media. His case was eventually thrown out after it was revealed that the government had wiretapped him illegally.
Bradley Manning, a soldier who released classified documents to WikiLeaks in 2010, has had a very different experience. Manning was held for three years without trial, including 11 months when he was held in de facto solitary confinement. During some of this period, he was forced to sleep naked at night, allegedly as a way to prevent him from committing suicide. The United Nations' special rapporteur on torture has condemned this as "cruel, inhuman and degrading treatment in violation of Article 16 of the convention against torture."
We've spent the two dozen years putting computers in everything from our bodies to our cars. Now those devices increasingly have wireless connections to the outside world. Throw in a little lax security and the whole world becomes hackable.
Hospital equipment like external defibrillators and fetal monitors can at least be picked up, taken apart, or carted away. Implanted devices -- equipment surgically implanted into the body -- are vastly more difficult to remove but not all that much harder to attack.
You don't even have to know anything about medical devices' software to attack them remotely, Fu says. You simply have to call them repeatedly, waking them up so many times that they exhaust their batteries-a medical version of the online "denial of service" attack, in which botnets overwhelm Web sites with millions of phony messages. On a more complex level, pacemaker-subverter Barnaby Jack has been developing Electric Feel, software that scans for medical devices in crowds, compromising all within range. Although Jack emphasizes that Electric Feel "was created for research purposes, in the wrong hands it could have deadly consequences." (A General Accounting Office report noted in August that Uncle Sam had never systematically analyzed medical devices for their hackability, and recommended that the F.D.A. take action.)
"You have a secret that can ruin your life." That's according to Mat Honan, and he should know. Several months ago he saw much of his online life hacked and deleted in an instant. In this Wired cover story (that includes some valuable tips for protecting yourself online), Honan breaks the news that "no matter how complex, no matter how unique, your passwords can no longer protect you."
Fairy wrens have a cuckoo problem. Specifically, cuckoos lay their eggs in the nest of the fairy wrens and, if undetected, they would end up raising the baby cuckoos to the potential detriment of their own children. But what the fairy wren mother does is after laying her eggs, she sings a unique song to the eggs until they hatch. Having learned the song while in-egg, the hatched baby wrens sing back part of the song to get fed.
She kept 15 nests under constant audio surveillance, and discovered that fairy-wrens call to their unhatched chicks, using a two-second trill with 19 separate elements to it. They call once every four minutes while sitting on their eggs, starting on the 9th day of incubation and carrying on for a week until the eggs hatch.
When Colombelli-Negrel recorded the chicks after they hatched, she heard that their begging call included a single unique note lifted from mum's incubation call. This note varies a lot between different fairy-wren broods. It's their version of a surname, a signature of identity that unites a family. The females even teach these calls to their partners, by using them in their own begging calls when the males return to the nest with food.
These signature calls aren't innate. The chicks' calls more precisely matched those of their mother if she sang more frequently while she was incubating. And when Colombelli-Negrel swapped some eggs between different clutches, she found that the chicks made signature calls that matches those of their foster parents rather than those of their biological ones. It's something they learn while still in their eggs.
(via bruce schneier)
I cannot believe these are some of the passwords people actually use:
I feel more secure than ever with my "password2" password.
I tweeted about this but wanted to document it here for posterity. The Attorney General of Texas Child Support website has the worst set of password requirements I've ever seen.
Exactly eight characters? No consecutive repeating characters? This is the internet equivalent of everyone throwing their supposedly dangerous 3+ oz. liquid containers into one giant barrel where hundreds of people are queuing up for "security". Makes you wonder how non-user-friendly the state's actual child support process is.
Update: Here's another bad password policy, courtesy of TechRepublic:
Can't contain two separated numbers? I don't even. If you've run across other examples like these, tweet at me.
Update: Troy Hunt has a list of bad password practices...for example, here's ING's 4-digit PIN login:
Four digits, numbers only...FOR A BANK! He also has a screenshot of American Express' case insensitive password rule.
Update: Jonathan Cogley signed up to access the web site of a "major credit card company" (AmEx?) and ran into the case insensitivity as well.
Update: BTW, there are many resources out there about choosing good passwords, but I found this one particularly helpful.
Update: This one from the US Citizenship and Immigration Services site is very similar to the Texas one.
Is there a consultant somewhere telling state and federal governments how not to do passwords? (via @kelseyfrost)
Update: I've gotten several notes about ING...their PINs are 6+ digits but still only numbers, which seems trivial to hack, even with their ever-shifting numeric keypad (readily OCR-able) and image verification (isn't foolproof).
Update: Suncorp Bank requires that passwords be 6-8 characters and can't contain consecutive numbers or special characters.
Chase requires a password for your password so you can log in while you log in. Or something.
But the best one so far might be for Sabre Red, a booking system used by travel agents.
7-8 characters in length, no special characters, no more than two repeating characters, and you cannot use the letters Z or Q (presumably a holdover from the days when phone keypads didn't have Qs or Zs). Wow. (via @SteveD503, @albedoa & @TheLoneCuber)
Charles Mann visits the airport with security expert Bruce Schneier and a fake boarding pass. What he finds is a lot of security theater and not much security.
"The only useful airport security measures since 9/11," he says, "were locking and reinforcing the cockpit doors, so terrorists can't break in, positive baggage matching" -- ensuring that people can't put luggage on planes, and then not board them -- "and teaching the passengers to fight back. The rest is security theater."
While assisting the Secret Service in bringing down a cybercrime ring called Shadowcrew, Albert Gonzalez was, unbeknowst to the agents he was working with, involved with a much larger scheme to steal credit card information on a massive scale. Despite making millions of dollars hacking into the databases of large companies, Gonzalez preferred living at home with his parents for three reasons:
1. he loved his mother's cooking
2. he loved playing with his nephew
3. he could more easily launder money through his parents' home-equity line of credit
When they pieced together how Gonzalez organized these heists later, federal prosecutors had to admire his ingenuity. "It's like driving to the building next to the bank to tunnel into the bank," Seth Kosto, an assistant U.S. attorney in New Jersey who worked on the case, told me. When I asked how Gonzalez rated among criminal hackers, he replied: "As a leader? Unparalleled. Unparalleled in his ability to coordinate contacts and continents and expertise. Unparalleled in that he didn't just get a hack done -- he got a hack done, he got the exfiltration of the data done, he got the laundering of the funds done. He was a five-tool player."
Jeffrey Goldberg on the TSA's new security theater measures, including pat-downs that are so humiliating and uncomfortable that people won't mind using the scanning machine that shows them naked.
I asked him if he was looking forward to conducting the full-on pat-downs. "Nobody's going to do it," he said, "once they find out that we're going to do."
In other words, people, when faced with a choice, will inevitably choose the Dick-Measuring Device over molestation? "That's what we're hoping for. We're trying to get everyone into the machine." He called over a colleague. "Tell him what you call the back-scatter," he said. "The Dick-Measuring Device," I said. "That's the truth," the other officer responded.
The pat-down at BWI was fairly vigorous, by the usual tame standards of the TSA, but it was nothing like the one I received the next day at T.F. Green in Providence. Apparently, I was the very first passenger to ask to opt-out of back-scatter imaging. Several TSA officers heard me choose the pat-down, and they reacted in a way meant to make the ordinary passenger feel very badly about his decision. One officer said to a colleague who was obviously going to be assigned to me, "Get new gloves, man, you're going to need them where you're going."
The agent snapped on his blue gloves, and patiently explained exactly where he was going to touch me. I felt like a sophomore at Oberlin.
From November 2007 but still relevant: Odds of Dying in a Terrorist Attack.
You are six times more likely to die from hot weather than from a terrorist attack
You are 87 times more likely to drown than die in a terrorist attack
You are 1048 times more likely to die from a car accident than from a terrorist attack
You are 12 times more likely to die from accidental suffocation in bed than from a terrorist attack
You are eight times more likely to be killed by a police officer than by a terrorist
I guess when you're the President, it's just not that impressive to say that you protected the nation's populace from accidental suffocation in bed.
Along the lines of "what's your mother's maiden name?", here are some even more secure user authentication questions.
What time was it when, in a drunken rage, you threw your novel into the fire?
If you could do it all over again, what would you do differently?
House keys left out on table + telephoto lens at a distance of 200 feet + SNEAKEY key duplication software = perfect working copies of your keys. Eep. The system also works with crappy cellphone camera photos.
I don't know if this is sadly hilarious or hilariously sad. Jeffrey Goldberg took all sorts of crazy stuff through airport security -- "al-Qaeda T-shirts, Islamic Jihad flags, Hezbollah videotapes, inflatable Yasir Arafat dolls (really), pocketknives, matches from hotels in Beirut and Peshawar, dust masks, lengths of rope, cigarette lighters, nail clippers, eight-ounce tubes of toothpaste (in my front pocket), bottles of Fiji Water (which is foreign), and, of course, box cutters" -- and almost nothing was ever taken away from him or was a source of concern for airport security personnel.
We took our shoes off and placed our laptops in bins. Schneier took from his bag a 12-ounce container labeled "saline solution."
"It's allowed," he said. Medical supplies, such as saline solution for contact-lens cleaning, don't fall under the TSA's three-ounce rule.
"What's allowed?" I asked. "Saline solution, or bottles labeled saline solution?"
"Bottles labeled saline solution. They won't check what's in it, trust me."
They did not check. As we gathered our belongings, Schneier held up the bottle and said to the nearest security officer, "This is okay, right?" "Yep," the officer said. "Just have to put it in the tray."
"Maybe if you lit it on fire, he'd pay attention," I said, risking arrest for making a joke at airport security. (Later, Schneier would carry two bottles labeled saline solution-24 ounces in total-through security. An officer asked him why he needed two bottles. "Two eyes," he said. He was allowed to keep the bottles.)
So hard to pick just one excerpt from this one...it's full of ridiculousness. I don't care how many blogs the TSA launches, this is a farce. (thx, anthony)
Evan Roth has been putting metal plates with messages and symbols cut into them into his carry-on luggage when he goes through security at the airport.
Here's Roth's idea, which he calls "TSA Communication" and tells me has already made it through three trial airport runs: Take a metal plate, stencil and cut out a message -- words or an image -- place the plate at the bottom of your carry-on bag, and watch what happens as the TSA employee operating the airport X-ray machine notices ... or doesn't notice.
So far, he's used plates with outlines of the American flag, a "NOTHING TO SEE HERE" message, and something he calls The Exact Opposite Of A Box Cutter, a plate with a box cutter shape cut out of it.
A mom let her 9-year-old son take the NYC subway and bus home from Sunday shopping.
For weeks my boy had been begging for me to please leave him somewhere, anywhere, and let him try to figure out how to get home on his own. So on that sunny Sunday I gave him a subway map, a MetroCard, a $20 bill, and several quarters, just in case he had to make a call.
No, I did not give him a cell phone. Didn't want to lose it. And no, I didn't trail him, like a mommy private eye. I trusted him to figure out that he should take the Lexington Avenue subway down, and the 34th Street crosstown bus home. If he couldn't do that, I trusted him to ask a stranger. And then I even trusted that stranger not to think, "Gee, I was about to catch my train home, but now I think I'll abduct this adorable child instead."
Upon telling the story to others, she encountered some resistance:
Half the people I've told this episode to now want to turn me in for child abuse. As if keeping kids under lock and key and helmet and cell phone and nanny and surveillance is the right way to rear kids. It's not. It's debilitating -- for us and for them.
A chronological list of fears, from childhood through parenthood. (via lone gunman)
Salon had an interview with Pamela Paul the other day, author of Parenting, Inc., a book about the business of parenting. Paul starts out by disparging the $800 stroller phenomenon. Ollie's stroller was somewhat expensive (not $800 but not $100 either) but it's well built, flexible in use, nicely designed (functionally speaking), and was far and away the best one for our needs. We didn't feel good about spending so much money, but the eventual cost-per-use will be in the range of cents, so we're really happy with our choice so far. Some parents buy expensive strollers more as a fashion statement, so I can see where Paul is coming from on this one.
I thought the rest of the interview was quite good. We're still new to this parenting thing, but Paul seems to be on the right track. Here's her take on the best toys for kids:
When you think back to the '60s and '70s, all the right-thinking progressive parents thought toys should be natural and open-ended. Crayola and Kinder Blocks and Lego were considered raise-your-kid-smart toys. Then, all this data that came out which said that kids need to be stimulated. They need sound! They need multi-sensory experiences! Now, the more bells and whistles a toy has, the supposedly better it is.
Our parents' generation actually had it right. The less the toy does, the better. Everyone thinks: "Toys need to be interactive." No, toys don't need to be interactive. Children need to interact with toys. The best toys are 90 percent kid, 10 percent toy, the kind of thing that you can use 20 different ways, not because it has 20 different buttons to press, but because the kid, when they're 6 months old is going to chew on it, and toss it, but when they're a year they're going to start stacking it.
And then later:
At the most basic level reuse, recycle, repurpose. The average American child gets 70 new toys a year. That is just so far beyond what is necessary. Most child gear, toys, books are a lot cheaper, relatively speaking, than they were decades ago. In the aggregate it ends up being a lot more expensive, because we're buying a lot more of it, but kids just don't need that many toys. Kids lose out when things become less special.
We've been avoiding toys that make noise and light up. Half of his toys are garbage -- old toilet paper rolls, bags that our coffee pods come in, 20oz soda bottles filled with colored water or split peas, scraps of fabric, etc. -- or not even toys at all -- pots and pans, measuring spoons, etc. It seems like the right approach for us; Paul's "90 percent kid, 10 percent toy" really resonates.
Paul also talks about not overstimulating kids. When I get up in the morning or come home from the office, it's hard not to scoop Ollie up and give him constant attention until he goes to bed or down for a nap. Instead, I've been trying to leave him alone to play and explore by himself. He's getting old enough that when he wants me involved, he'll come to me. In this way, parenting is like employee management; give people the resources they need and then let them do their jobs.
This last bit reminded me of our trip to Buy Buy Baby (subtle!!) to procure baby proofing supplies. They totally had a Wall of Death designed to entice parents to coat their entire house in cheap white plastic.
The baby-proofing industry completely preys on parents' worst anxieties and fears. It really doesn't take a brain surgeon to baby-proof a house, and every store has the "Wall of Death" with like 10,000 products in it that you can affix to any potentially sharp surface in your house, if you choose to go that route.
It's difficult not to feel incredibly manipulated by the Wall of Death. You know deep down that it's ridiculous; your parents didn't have any of this crap and you turned out fine. But then the what-ifs start gnawing away at your still-shaky confidence as a new parent. Our encounter with the Wall paralyzed us, and with the exception of those plastic wall outlet plugs, we've punted on baby proofing for now. We're letting Ollie show us where all the problem areas are before committing to any white plastic solutions.
Bruce Schneier on the Portrait of the Modern Terrorist as an Idiot. "Terrorism is a real threat, and one that needs to be addressed by appropriate means. But allowing ourselves to be terrorized by wannabe terrorists and unrealistic plots -- and worse, allowing our essential freedoms to be lost by using them as an excuse -- is wrong."
I've used Bank of America to do my online banking in the past and their SiteKey "technology" always irritated the hell out of me because it led me to believe that Bank of America thought I was:
a) a criminal
b) an idiot
c) a customer
The basic idea behind SiteKey is that when you log in to your account, you're shown a photo of, say, an orange kitten before you enter your password so that you know you're not on the site of a phisher who knows nothing about your orange kitten but wants to collect your login info. In addition, the site makes you verify your identity with a security question -- like "what's your favorite food?" -- before using the site from a new IP address, which means if you're on a cable or DSL connection, this happens every couple weeks when your current IP expires...or whenever BofA feels like they should throw up another virtual pane of bulletproof glass between you and your account information. For those who don't fall for phishing scams -- by accessing sites directly through bookmarks or by typing URLs into the location bar -- SiteKey is nothing but an irritant and a deterrent and there's no way to switch it off.
On Tuesday, Christopher Soghoian and Markus Jakobsson published a clever method by which password phishers could get around SiteKey. The method takes advantage of a simple hole in the logic concerning SiteKey...that anyone who knows your account's login name and state of residence can see both your SiteKey image and any challenge questions, no password required. All the phisher has to do is ask for the login name and state of residence, send that info to the BofA site (via a script running on the phisher's machine), get back a security question, display that, send the answer to the BofA site, get back the correct SiteKey image, display that, and collect the person's password, all while presenting a nearly seamless Bank of America-like experience to the user.
Hopefully this gaping monster of a security hole will convince BofA that not only does SiteKey security not work, it's not even security and they'll soon be rid of it.
Update: Here's an even easier SiteKey exploit.
An anonymous author (they cannot legally reveal their identity) describes their National Security Letter gag order. Since the Patriot Act, the FBI has been sending out tens of thousands of these Letters, the recipients of which have no choice but to comply and keep absolutely quiet about it. "Living under the gag order has been stressful and surreal. Under the threat of criminal prosecution, I must hide all aspects of my involvement in the case -- including the mere fact that I received an NSL -- from my colleagues, my family and my friends."
The must-read item of the weekend: how a bunch of guys got themselves and two full van-loads of materials into the Super Bowl and distributed lights to fans to spell out a special message seen during the halftime show. This is in the hall of fame of pranks for sure. "Super Bowl XLI was a Level One national security event, usually reserved for Presidential inaugurations. We had to get two full vanloads of materials through federal marshals, Homeland Security agents, police, police dogs, bomb squads, ATF personnel, robots, and a five-ton state-of-the-art X-ray crane. It took four months and a dozen people to pull off the prank that ended up fooling the world. This is the Super Stunt." (via waxy)
TSA travel tip: cheesecake is not a gel. "So, as you're traveling for the holidays, if you should feel the urge to surprise a loved one with a piece of cheesecake or some other gelatinous food product and are questioned by the TSA, make sure you remind them about the 'LaGuardia Cheesecake Precedent of October 2006' and claim your right to bring that cheesecake on the plane with you." Consider this a companion piece to the security theater article from earlier in the week.
The inept security theater at the airport. "For theater on a grand scale, you can't do better than the audience-participation dramas performed at airports, under the direction of the Transportation Security Administration."
Even though the most popular password on MySpace is "password1" (the 5th most popular password is "blink182"), most users' passwords are pretty good...and better than corporate employees' passwords.
Bruce Schneier: "It's time we calm down and fight terror with antiterror. Our job is to think critically and rationally, and to ignore the cacophony of other interests trying to use terrorism to advance political careers or increase a television show's viewership."
Faces are now being searched at US airports for suspicious microexpressions. Psychologist Paul Ekman helped set up the program and was previously one of Malcolm Gladwell's subjects in The Naked Face and Blink.
Q. Is it possible to use a wireless Internet connection on a plane?
A. Yes, if you happen to be flying on an airline that offers the service. International carriers like Korean Air, Lufthansa and Singapore Airlines already have wireless broadband service on many routes; fees for using it vary. Check with your airline to see if it offers in-flight Internet.
So says the NY Times. While it may not be possible to use wireless Internet connections on the plane, it is possible to use wireless connections. Apple laptops can create networks which other computers with wireless capability can join. Bluetooth capable devices like laptops and cellphones can communicate with each other over smaller distances.
Since 9/11, I've often thought that this would be an effective way for a group of people to coordinate some nefarious action on a plane without attracting any attention. Five or six people scattered about the plane on laptops, iChatting plans to one another, wouldn't be unusual at all. Of course, a properly trained group wouldn't need to communicate with each other at all after boarding the plane. Nor, says Bruce Schneier, should we ban things like cellphones and Internet access on airplanes for security reasons.
Nevermind...the video is fake.
This is one of the most insane things I've ever seen....graffiti artist/entrepreneur Marc Ecko tagged Air Force One. The US govt can't even effectively guard the President's plane...how does Homeland Security expect to do it with all commercial passenger airplanes? (via airbag)
The Onion provides a list of new guidelines from the Transportation Security Administration. "Vermont and New York cheddars can be brought on board, but not Wisconsin cheddar -- by far the sharpest cheese in the cheddar family".
At the risk (ha!) of missing it, I waited until this late in the game to check out Safe: Design Takes On Risk at the MoMA. Great show. Two of my favorite items:
- Safe Bedside Table by James McAdam. If the need should arise in the middle of the night, the top of the table separates from the leg and can be worn on the arm as a shield while you use the leg to beat the crap out of a surprised burglar.
- Suited for Subversion by Ralph Borland. Don this highly visable suit before heading out for a day of protesting. It's padded to protect against police brutality, an optional wireless camera acts as a witness to the day's events, and a speaker amplifies the wearer's heatbeat, letting those around him know that's he's scared, anxious, exhilarated, or simply human.
For you armchair museum goers, what looks to be the entire exhibition is available online.
Also, the MoMA around holiday time, not so crowded. (Well, relatively so. There were still a fair number of people there, just not so many as in the Build-A-Bear store on 5th Avenue.)
Stephanie Hendrick has tracked down the identity of an anonymous blogger (she matched them to a non-anonymous blog) using linguistic identity markers. See also secret sites. (via j/t)
Table of the odds of dying from various injuries. Looking at statistics like these, I'm always amazed at how worried people are about things that don't often result in death (fireworks, sharks) and how relatively dangerous automobiles are (see, for example, this list of people on MySpace who have died...many of the deaths on the first two pages involve cars).
One of the most interesting things to come out of the secret sites discussion is that people are keeping their private journals on the web instead of in a paper journal under their mattress or in a Word document on their computer. This sounds surprising, but there's a couple of good reasons for it:
- The tools for writing, organizing, and searching an online journal written with Typepad or LiveJournal are superior to those for writing a paper journal or an electronic diary (in Word or text format) stored locally. Hyperlinks, entries organized by date, mood, category, if you're used to using these things writing a public site, you might have trouble going back to just text in a Word document for your important innermost thoughts.
- Your diary may actually be more private and secure on the web. A password protected online journal is more difficult for a parent, significant other, or parole officer to stumble upon and read than a document sitting on a hard drive of a shared computer or hidden on the top shelf of a closet, especially if you're careful with your cookies, browser history, choose a good password, and are more computer savvy than said parent/S.O./P.O.
I bet few would have predicted keeping personal diaries secret as a use of the public internet several years ago.
There's nothing good about the shooting of airline passenger Rigoberto Alpizar by air marshals. Guns on airplanes -- I don't care who's wielding them under what authority -- is a bad idea; some alternative thinking is needed.
The decompression from my trip to Asia continues. I have read through ~8000 items in my newsreader and discarded almost all of them (despite much interest in solving the problem, no one has built a machine that has any idea about what content needles I want out of the media haystack).
However, one item caught my interest (although I can't remember where I saw it): someone asked their readers how many secret sites/blogs they maintained. That is, sites that no one knows you're the author of (written anonymously or with a nom de plume) or sites to which the general public does not have access. If I remember correctly, a large number of the respondents not only maintained a secret site, but had several. I have one secret blog, published under my own name, that only a small group of friends can read. I just started it recently (after learning that several friends have been doing this for awhile) and don't update it very often. How about you...any secret sites? Why keep them on the down-low?
Bruce Schneier on the sorry state of airport security. "Exactly two things have made airline travel safer since 9/11: reinforcement of cockpit doors, and passengers who now know that they may have to fight back. Everything else...is security theater."
WSJ tech columnist Walt Mossberg on DRM: "media companies go too far in curbing comsumers' activities".
With AJAX MAssive Storage System (AMASS) a web page can store large amounts of data on a computer using hidden Flash applets. Brilliant hack, but seems like a potential security concern (an AMASS-like app could just fill up a hard drive without prompting, no?). I just looked at this briefly...would this allow one to run something like GMail offline? (I'm thinking not.) (via waxy)
Witold Rybczynski on perimeter security around prominent public and government buildings. "The problem is that huge hunks of reinforced concrete in city streets are not only an eyesore and an impediment to movement, they're a blatant and unsightly expression of a siege mentality."
A citizen's guide to refusing NYC subway searches. "As innocent citizens become increasingly accustomed to being searched by the police, politicians and police agencies are empowered to further expand the number of places where all are considered guilty until proven innocent."
Ugh, riders on the NYC subway are going to have their bags randomly searched by the NYPD. "People who do not submit to a search will be allowed to leave, but will not be permitted into the subway station." What the fuck?!?
Bruce Schneier on how to mitigate identity theft. "If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions."