Eavesdropping with your cell phone

From David S. Bennahum’s “Hope You Like Jamming, Too” (Slate):

…innovative industrial spies, who have several neat new tricks. These days, a boardroom Mata Hari can purchase a specially designed cell phone that will answer incoming calls while appearing to be switched off. In a business meeting, she could casually leave her phone on the table while excusing herself to go to the bathroom. Once she’s gone, she can call the phone she left behind and eavesdrop on what the other side is saying in her absence.

How an email account without passwords can be good for security

From Robert X. Cringely’s “Stream On“:

Mailinator is ad hoc e-mail for those times when just maybe you don’t want to use your regular e-mail address. Say you are snitching on the boss, buying inflatable people, or want 32 different PayPal accounts. Just tell someone—anyone—that your e-mail address is or, or or any other address you like at But this is no dead-end. When people write to you at that address the message will go through. That’s because Mailinator accepts any message going to that domain and automatically assigns an e-mail account to it. But what about passwords? There are none. Anyone can go to Mailinator and check the mail for clueless or any other name. But with so many names and the idea that Mailinator is only for occasional use, who cares?

Better security = reduced efficiency

From Robert X. Cringely’s “Stream On“:

Yet nearly everything we do to combat crime or enhance safety comes at the expense of reduced efficiency. So we build airports to make possible efficient air transportation, then set up metal detectors to slow down the flow of passengers. We build highways to make car travel faster, then set speed limits to make it slower.

The email dead drop

From the L.A. Times‘ “Cyberspace Gives Al Qaeda Refuge“:

Simplicity seems to work best. One common method of communicating over the Internet is essentially an e-mail version of the classic dead drop.

Members of a cell are all given the same prearranged username and password for an e-mail account on an Internet service provider, or ISP, such as Hotmail or Yahoo, according to the recent joint report by the Treasury and Justice departments.

One member writes a message, but instead of sending it, he puts it in the ‘draft’ file and then logs off. Someone else can then sign onto the account using the same username and password, read the draft and then delete it.

‘Because the draft was never sent, the ISP does not retain a copy of it and there is no record of it traversing the Internet—it never went anywhere, its recipients came to it,’ the report said.

American Express’ security policies made things more insecure

From Bruce Schneier’s Crypto-Gram of 15 August 2003:

When I called to activate an American Express credit card I had received in the mail, the automated system told me that I would have to associate a PIN with it. The system told me that other users liked the idea of using their mother’s birthday as a four digit PIN. After some experimentation, I discovered that the system would accept only those four digit PINs that corresponded to dates: 0229 was acceptable but not 0230 and certainly not 3112 (New Year’s Eve, European style.) Thus the system policy administrators had reduced the 10,000 possible four-digit PINs to 366.

Getting past security on planes

From Bruce Schneier’s Crypto-Gram of 15 August 2003:

It’s actually easy to fly on someone else’s ticket. Here’s how: First, have an upstanding citizen buy an e-ticket. (This also works if you steal someone’s identity or credit card.) Second, on the morning of the flight print the boarding pass at home. (Most airlines now offer this convenient feature.) Third, change the name on the e-ticket boarding pass you print out at home to your own. (You can do this with any half-way decent graphics software package.) Fourth, go to the airport, go through security, and get on the airplane.

You can even make a knife on board the plane. Buy some steel epoxy glue at a local hardware store. It comes in two tubes: a base with steel dust and a hardener. Make a knifelike mold by folding a piece of cardboard in half. Then mix equal parts from each tube and form into a knife shape, using a metal fork from your first-class dinner service (or a metal spoon you carry aboard) for the handle. Fifteen minutes later you’ve got a reasonably sharp, very pointy, black steel knife.

Laundering a car’s VIN

From Bruce Schneier’s Crypto-Gram of 15 October 2003:

Precision stripping: criminal steals car, chop shop strips car completely down to chassis, chassis dumped on street, cops tow chassis away, chassis sold at auction, criminal buys chassis, chop shop reattaches parts. Result: legitimate car that can be legally sold used. The VIN has been ‘laundered’.

What seems obvious in security often is not

From Russell Nelson’s comment to Bruce Schneier’s Crypto-Gram of 15 November 2003:

> A New York detective was once asked whether pickpockets in
> Manhattan dressed in suits and ties to facilitate their crimes
> subsequent escape. He responded by saying that in twenty years
> he had never arrested even one pickpocket in a tie.

Do you mean this as evidence to bolster your point or to counter it? It seems to me that if he never arrested even one pickpocket in a tie, that would be very good evidence that pickpockets wearing ties escape arrest.

A nanny’s man-in-the-middle attack

From Bruce Schneier’s Crypto-Gram of 15 April 2004:

Here’s a story of a woman who posts an ad requesting a nanny. When a potential nanny responds, she asks for references for a background check. Then she places another ad, using the reference material as a fake identity. She gets a job with the good references—they’re real, although for another person—and then robs the family who hires her. And then she repeats the process.

Look what’s going on here. She inserts herself in the middle of a communication between the real nanny and the real employer, pretending to be one to the other. The nanny sends her references to someone she assumes to be a potential employer, not realizing that it is a criminal. The employer receives the references and checks them, not realizing that they don’t actually belong to the person who is sending them.

Problems with ID cards

From Bruce Schneier’s Crypto-Gram of 15 April 2004:

My argument may not be obvious, but it’s not hard to follow, either. It centers around the notion that security must be evaluated not based on how it works, but on how it fails.

It doesn’t really matter how well an ID card works when used by the hundreds of millions of honest people that would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.

The first problem is the card itself. No matter how unforgeable we make it, it will be forged. And even worse, people will get legitimate cards in fraudulent names. …

Not that there would ever be such thing as a single ID card. Currently about 20 percent of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself is capable of abuse. …

But the main problem with any ID system is that it requires the existence of a database. In this case it would have to be an immense database of private and sensitive information on every American—one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.

The security risks are enormous. Such a database would be a kludge of existing databases; databases that are incompatible, full of erroneous data, and unreliable. …

What good would it have been to know the names of Timothy McVeigh, the Unabomber, or the DC snipers before they were arrested? Palestinian suicide bombers generally have no history of terrorism. The goal is here is to know someone’s intentions, and their identity has very little to do with that.

Security decisions are often made for non-security reasons

From Bruce Schneier’s Crypto-Gram of 15 July 2004:

There was a single guard watching the X-ray machine’s monitor, and a line of people putting their bags onto the machine. The people themselves weren’t searched at all. Even worse, no guard was watching the people. So when I walked with everyone else in line and just didn’t put my bag onto the machine, no one noticed.

It was all good fun, and I very much enjoyed describing this to FinCorp’s VP of Corporate Security. He explained to me that he got a $5 million rate reduction from his insurance company by installing that X-ray machine and having some dogs sniff around the building a couple of times a week.

I thought the building’s security was a waste of money. It was actually a source of corporate profit.

The point of this story is one that I’ve made in ‘Beyond Fear’ and many other places: security decisions are often made for non-security reasons.

Evaluating software features

When developing software, it’s important to rank your features, as you can’t do everything, & not everything is worth doing. One way to rank features is to categorize them in order of importance using the following three categories:

  1. Required/Essential/Necessary: Mission critical features that must be present
  2. Preferred/Conditional: Important features & enhancements that bring better experience & easier management, but can wait until later release if necessary
  3. Optional/Nice To Have: If resources permit, sure, but otherwise…

Of course, you should also group your features based upon the kinds of features they are. Here’s a suggestion for those groups:

  • User experience
  • Management
  • Security

My response to the news that “Reader, Acrobat Patches Plug 23 Security Holes”

I sent this email out earlier today to friends & students:

For the love of Pete, people, if you use Adobe Acrobat Reader, update it.

But here’s a better question: why are you using Adobe Reader in the first place? It’s one of the WORST programs for security you can have on your computer. And most of the time, you just don’t need it!

If you use Windows, give Foxit Reader ( a whirl. It’s free!

If you use a Mac, you already have a great PDF reader installed with your operating system: Preview. Use it.

The ONLY reason to use Adobe Reader is to fill out tax forms. When I need to do that, I download Adobe Reader, download the PDFs from the gubmint, fill out the PDFs, send ’em to the Feds & the State, & then remove Adobe Reader. I encourage others to do the same.

A summary of Galbraith’s The Affluent Society

From a summary of John Kenneth Galbraith’s The Affluent Society (Abridge Me: 1 June 2010):

The Concept of the Conventional Wisdom

The paradigms on which society’s perception of reality are based are highly conservative. People invest heavily in these ideas, and so are heavily resistant to changing them. They are only finally overturned by new ideas when new events occur which make the conventional wisdom appear so absurd as to be impalpable. Then the conventional wisdom quietly dies with its most staunch proponents, to be replaced with a new conventional wisdom. …

Economic Security

… Economics professors argue that the threat of unemployment is necessary to maintain incentives to high productivity, and simultaneously that established professors require life tenure in order to do their best work. …

The Paramount Position of Production

… Another irrationality persists (more in America than elsewhere?): the prestigious usefulness of private-sector output, compared to the burdensome annoyance of public expenditure. Somehow public expenditure can never quite be viewed as a productive and enriching element of national output; it is forever something to be avoided, at best a necessary encumbrance. Cars are important, roads are not. An expansion in telephone services improves the general well-being, cuts in postal services are a necessary economy. Vacuum cleaners to ensure clean houses boast our standard of living, street cleaners are an unfortunate expense. Thus we end up with clean houses and filthy streets. …

[W]e have wants at the margin only so far as they are synthesised. We do not manufacture wants for goods we do not produce. …

The Dependence Effect

… Modern consumer demand, at the margin, does not originate from within the individual, but is a consequence of production. It has two origins:

  1. Emulation: the desire to keep abreast of, or ahead of one’s peer group — demand originating from this motivation is created indirectly by production. Every effort to increase production to satiate want brings with it a general raising of the level of consumption, which itself increases want.
  2. Advertising: the direct influence of advertising and salesmanship create new wants which the consumer did not previously possess. Any student of business has by now come to view marketing as fundamental a business activity as production. Any want that can be significantly moulded by advertising cannot possibly have been strongly felt in the absence of that advertising — advertising is powerless to persuade a man that he is or is not hungry.


… In 1942 a grateful and very anxious citizenry rewarded its soldiers, sailors, and airmen with a substantial increase in pay. In the teeming city of Honolulu, in prompt response to this advance in wage income, the prostitutes raised the prices of their services. This was at a time when, if anything, increased volume was causing a reduction in their average unit costs. However, in this instance the high military authorities, deeply angered by what they deemed improper, immoral, and indecent profiteering, ordered a return to the previous scale. …

The Theory of Social Balance

The final problem of the affluent society is the balance of goods it produces. Private goods: TVs, cars, cigarettes, drugs and alcohol are overproduced; public goods: education, healthcare, police services, park provision, mass transport and refuse disposal are underproduced. The consequences are extremely severe for the wellbeing of society. The balance between private and public consumption will be referred to as ‘the social balance’. The main reason for this imbalance is relatively straightforward. The forces we have identified which increase consumer demand as production rises (advertising and emulation) act almost entirely on the private sector. …

It is arguable that emulation acts on public services to an extent: a new school in one district may encourage neighbouring districts to ‘keep up’, but the effect is relatively miniscule.

Thus, private demand is artificially inflated and public demand is not, and the voter-consumer decides how to split his income between the two at the ballot box: inevitably public expenditure is grossly underrepresented. …

Big security problems with the current way Firefox handles extensions

From Help Net Security’s “Zero-day vulnerabilities in Firefox extensions discovered” (20 November 2009):

At the SecurityByte & OWASP AppSec Conference in India, Roberto Suggi Liverani and Nick Freeman, security consultants with, offered insight into the substantial danger posed by Firefox extensions.

Mozilla doesn’t have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension.

Any Mozilla application with the extension system is vulnerable to same type of issues. Extensions vulnerabilities are platform independent, and can result in full system compromise.

The Kraken botnet

From Kelly Jackson Higgins’s “New Massive Botnet Twice the Size of Storm” (DarkReading: 7 April 2008):

A new botnet twice the size of Storm has ballooned to an army of over 400,000 bots, including machines in the Fortune 500, according to botnet researchers at Damballa. (See The World’s Biggest Botnets and MayDay! Sneakier, More Powerful Botnet on the Loose.)

The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software.

Royal says like Storm, Kraken so far is mostly being used for spamming the usual scams — high interest loans, gambling, male enhancement products, pharmacy advertisements, and counterfeit watches, for instance.

Its bots are prolific, too: The firm has seen single Kraken bots sending out up to 500,000 pieces of spam in a day.

Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. “We know the picture… ends in an .exe, which is not shown” to the user, Royal says.

Australian police: don’t bank online with Windows

From Munir Kotadia’s “NSW Police: Don’t use Windows for internet banking” (ITnews: 9 October 2009):

Consumers wanting to safely connect to their internet banking service should use Linux or the Apple iPhone, according to a detective inspector from the NSW Police, who was giving evidence on behalf of the NSW Government at the public hearing into Cybercrime today in Sydney.

Detective Inspector Bruce van der Graaf from the Computer Crime Investigation Unit told the hearing that he uses two rules to protect himself from cybercriminals when banking online.

The first rule, he said, was to never click on hyperlinks to the banking site and the second was to avoid Microsoft Windows.

“If you are using the internet for a commercial transaction, use a Linux boot up disk – such as Ubuntu or some of the other flavours. Puppylinux is a nice small distribution that boots up fairly quickly.

Van der Graaf also mentioned the iPhone, which he called “quite safe” for internet banking.

“Another option is the Apple iPhone. It is only capable of running one process at a time so there is really no danger from infection,” he said.

Malware forges online bank statements to hide fraud

From Kim Zetter’s “New Malware Re-Writes Online Bank Statements to Cover Fraud” (Wired: 30 September 2009):

New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report.

The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it’s displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances.

The ruse buys the crooks time before a victim discovers the fraud, though won’t work if a victim uses an uninfected machine to check his or her bank balance.

The novel technique was employed in August by a gang who targeted customers of leading German banks and stole Euro 300,000 in three weeks, according to Yuval Ben-Itzhak, chief technology officer of computer security firm Finjan.

The victims’ computers are infected with the Trojan, known as URLZone, after visiting compromised legitimate web sites or rogue sites set up by the hackers.

Once a victim is infected, the malware grabs the consumer’s log in credentials to their bank account, then contacts a control center hosted on a machine in Ukraine for further instructions. The control center tells the Trojan how much money to wire transfer, and where to send it. To avoid tripping a bank’s automated anti-fraud detectors, the malware will withdraw random amounts, and check to make sure the withdrawal doesn’t exceed the victim’s balance.

The money gets transferred to the legitimate accounts of unsuspecting money mules who’ve been recruited online for work-at-home gigs, never suspecting that the money they’re allowing to flow through their account is being laundered. The mule transfers the money to the crook’s chosen account. The cyber gang Finjan tracked used each mule only twice, to avoid fraud pattern detection.

The researchers also found statistics in the command tool showing that out of 90,000 visitors to the gang’s rogue and compromised websites, 6,400 were infected with the URLZone trojan. Most of the attacks Finjan observed affected people using Internet Explorer browsers …

Finjan provided law enforcement officials with details about the gang’s activities and says the hosting company for the Ukraine server has since suspended the domain for the command and control center. But Finjan estimates that a gang using the scheme unimpeded could rake in about $7.3 million annually.

Looking at others’ lives for clues to what might have been

From Tim Kreider’s “The Referendum” (The New York Times: 17 September 2009):

The Referendum is a phenomenon typical of (but not limited to) midlife, whereby people, increasingly aware of the finiteness of their time in the world, the limitations placed on them by their choices so far, and the narrowing options remaining to them, start judging their peers’ differing choices with reactions ranging from envy to contempt. The Referendum can subtly poison formerly close and uncomplicated relationships, creating tensions between the married and the single, the childless and parents, careerists and the stay-at-home. It’s exacerbated by the far greater diversity of options available to us now than a few decades ago, when everyone had to follow the same drill. We’re all anxiously sizing up how everyone else’s decisions have worked out to reassure ourselves that our own are vindicated — that we are, in some sense, winning.

It’s especially conspicuous among friends from youth. Young adulthood is an anomalous time in people’s lives; they’re as unlike themselves as they’re ever going to be, experimenting with substances and sex, ideology and religion, trying on different identities before their personalities immutably set. Some people flirt briefly with being freethinking bohemians before becoming their parents. Friends who seemed pretty much indistinguishable from you in your 20s make different choices about family or career, and after a decade or two these initial differences yield such radically divergent trajectories that when you get together again you can only regard each other’s lives with bemused incomprehension.

Yes: the Referendum gets unattractively self-righteous and judgmental. Quite a lot of what passes itself off as a dialogue about our society consists of people trying to justify their own choices as the only right or natural ones by denouncing others’ as selfish or pathological or wrong. So it’s easy to overlook that hidden beneath all this smug certainty is a poignant insecurity, and the naked 3 A.M. terror of regret.

The problem is, we only get one chance at this, with no do-overs. Life is, in effect, a non-repeatable experiment with no control. In his novel about marriage, “Light Years,” James Salter writes: “For whatever we do, even whatever we do not do prevents us from doing its opposite. Acts demolish their alternatives, that is the paradox.” Watching our peers’ lives is the closest we can come to a glimpse of the parallel universes in which we didn’t ruin that relationship years ago, or got that job we applied for, or got on that plane after all. It’s tempting to read other people’s lives as cautionary fables or repudiations of our own.

A colleague of mine once hosted a visiting cartoonist from Scandinavia who was on a promotional tour. My colleague, who has a university job, a wife and children, was clearly a little wistful about the tour, imagining Brussels, Paris, and London, meeting new fans and colleagues and being taken out for beers every night. The cartoonist, meanwhile, looked forlornly around at his host’s pleasant row house and sighed, almost to himself: “I would like to have such a house.”

One of the hardest things to look at in this life is the lives we didn’t lead, the path not taken, potential left unfulfilled. In stories, those who look back — Lot’s wife, Orpheus and Eurydice — are lost. Looking to the side instead, to gauge how our companions are faring, is a way of glancing at a safer reflection of what we cannot directly bear, like Perseus seeing the Gorgon safely mirrored in his shield.