Tuesday, August 26, 2008

More stuff I wish I could blog about

In another installment of the disturbingly frequent series of posts which only advert to things I would write about at more length if I had more time, I present for your approval this extremely interesting article from Bruce Schneier via Wired.com. In the article Bruce looks at the differing reactions of U.S. and European courts to potential disclosures of security flaws. In short, the U.S. courts, though ostensibly bound by the first amendment, prohibited disclosure of the flaws, while the European courts supported the free speech rights of the researchers who found the flaws. While Bruce didn't really explore the rich history of prior restraints in U.S. law, or discuss how antithetical such prior restraints (supposedly) are to our system, he did a very good job of explaining why suppressing free dissemination of information about security flaws is a bad idea from a practical standpoint, rather than just a legal one.

In any case, as I said at the beginning of the post, I'd love to blog about this further. However, given my current time situation, I'll have to be content with linking to the article, and identifying it as just one more example of why civil liberties (in this case freedom of speech), even when they appear to be detrimental to security interests, shouldn't be thrown aside lightly.

Monday, August 25, 2008

To the Extent Vice Presidential Candidates Matter

To the extent vice presidential candidates matter, Obama's pick of Joe Biden doesn't seem to auger well for privacy. According to this article from C|NET, Biden has a nasty habit of strongly supporting privacy unfriendly measures, usually under the guise of specious claims of law enforcement necessity. While I don't know anyone who is voting based on privacy concerns in November (including me), it would be nice to have a VP candidate who was a little bit more privacy friendly.

Sunday, August 24, 2008

Only the Guilty Have Something to Hide

The mayor of shuts down a stand where little girls sold excess produce from their family's garden (link).

TSA employees ground plane by using critical instruments as handholds (link).

A pilot is placed on the no-fly list, destroying his ability to do his job (link).

On their face, these incidents aren't obviously about data privacy and information security - the nominal topics of this blog. However, it's incidents like these that come to mind when I hear that privacy doesn't matter because only the guilty have something to hide. To me, the incidents above show that government action, even when the government is faithfully enforcing regulations or laws, can be unpredictable, and even people who never knowingly commit a crime could very well be "guilty" in the sense of incurring adverse government actions. Thus, to say that only the "guilty" have any reason to care about privacy shows a dangerous lack of awareness of how easy it is to violate some law or regulation and thereby become "guilty" yourself. Even worse, when the government goes about collecting enormous amounts of data without having to justify itself and without any oversight, there will inevitably be false positives which have the potential to literally ruin someone's life (e.g., a pilot who can't do his job because he gets added to a no fly list).

For this post I intentionally avoided cases where individual privacy is violated as a result of government lawbreaking (e.g., here, which describes an IRS employee who decided to peruse celebrity tax filings). The reason is that, while rogue employees are a problem, the attitude that only the guilty have any reason to value privacy is a problem even when the government is functioning as it is supposed to.

Tuesday, August 19, 2008

Data Storage

As a general rule, one of the easiest ways to make sure data isn't stolen is to not have it. Unfortunately, as mentioned in this paper from GFI Software there are often legal requirements that prevent a company from purging its data. As the paper mentions, there are a variety of securities regulations that require companies to keep records. While true, that's only part of the story. For example, electronic discovery rules can prohibit a company from purging its records. What's (potentially) worse, even if a company doesn't purge it's records, it can still be sanctioned under the electronic discovery rules if it's records aren't in a reasonably accessible form.

The moral of the story? You need to know not just how to protect data, but what data to keep, and how to keep it in a form where you can get it back.

Thursday, August 14, 2008

There was a time when...

There was a time when privacy violations were considered a serious matter. During colonial times (yes, it's been that long) the British would issue general warrants (discussed here) which essentially gave the people executing the warrant broad power to search for contraband or make arrests, without specifying what contraband was being searched for (or why) or the reason for an arrest. To do away with this generally detested practice, the fourth amendment was written to require that:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Truly, it appears that the late 18th century was a heady time for privacy. By contrast, today, government seems to take the same approach to information gathering as some people do with climbing Everest - they don't need a good reason, they just do it because it's there. The stated reason given for most intrusions is to prevent terrorism, but this is largely bunk. Take this plan to photograph and store the license numbers of every vehicle that enters Manhattan. If I were a terrorist who wanted to bring a bomb into Manhattan, this plan would be no deterrent whatsoever, as I would simply rent a car. This would have the advantages (from the terrorist point of view) of both being anonymous, and probably being large enough to carry more explosives than I can fit into my actual car. So why is there a plan to gather this data? My guess is that someone in government thought it would be cool, and some vendor wanted to sell a new toy, and no one even considered that broad scale, suspicionless data collection is not something that government should be involved in. *sigh*

On the bright side, during the late 18th century I would have had to worry about things like yellow fever, and or malaria, so I suppose it all evens out in the end.

Thursday, August 7, 2008

Drawing the Wrong Lessons from a Breach

The other day, I was listening to the radio, and a commentator said that the most significant harm that could come from a major breach like the TJX breach was not identity theft, but was actually people losing faith in doing business over the internet. Frankly, I'm not sure he was right, given that identity theft is a major problem for consumers. However, while it might not be the biggest harm from a breach, losing faith in doing business over the internet would be an inappropriate response to a breach like that at TJX for the simple reason that the internet had nothing to do with that breach. Instead, the hackers found stores which had unsecure wireless connections, used them to install malicious software on the TJX corporate network, then used the software to harvest credit cards from TJX's systems. The internet didn't come into play until after the cards were stolen and the thieves needed to sell them. While avoiding doing business over the internet might avoid some types of risks (particularly phishing scams), it would have no effect whatsoever on a consumer's risk of being affected by a breach such as took place at TJX.

Wednesday, August 6, 2008

Hackers Caught

As described in this article from cnn.com, the justice department has issued 11 indictments for stealing more than 40 million credit and debit card numbers. Unsurprisingly given the nature of the crime the suspects are from all over the world - three from the U.S., three from Estonia, two from Ukraine, two from China, and one from Belarus. The arrests are the result of years of investigation, showing both the difficulty of making arrests in cases of international card fraud, and the potential of dedicated police work.

One question raised by the article is how many more people were involved. The article says that "[t]he 41 million credit and debit numbers were used internationally," and also says that the suspects are accused of hacking into the TJX network. There's something of a disconnect between the numbers and the crime. As I mentioned here, depending on whose numbers you go by, the TJX breach involved either 94 or 45 million records. Thus, if the indicted suspects really were behind the breach, and actually did steal only 41 million numbers, it implies that they aren't the only ones who were taking numbers from TJX. Still, aside from that small detail, the indictments appear to be happy news. Hopefully the police got the right people, and will continue to do so in the future.