So Marv figured out how to burn useful (non-DRM’ed) CD’s of the DRM’ed music from the new Napster. And he figured out that if you really cared, you could download and burn those all that music to CD. And he’s explained how. And it’s really, really easy. And it uses only freely available software–the Napster software itself, WinAMP (A product of NullSoft, aka AOL-Time-Warner), and a WinAMP plugin.

What does this prove?
1) DRM doesn’t work
2) Consumers hate DRM. (They hate it even more when they find out about it The Hard Way, but that’s really a point for an iTunes-related post)
3) Security which inhibits normal, expected activities will be circumvented.

I think it’s time for a little refresher on Why DRM is bad. From Cory Doctorow’s excellent essay, it comes down to:

1. That DRM systems don’t work
2. That DRM systems are bad for society
3. That DRM systems are bad for business
4. That DRM systems are bad for artists
5. That DRM is a bad business-move for MSFT

If you’ve never read his essay, I highly suggest you make some time to do so now.

KasLog has a posting which follows up on a couple others, including an earlier KasLog post, Red Tape Helps Terrorists, discussing stupid “security” rules that reduce, rather than improve, security.

Stealing his punchline:

All this would be funny, if it wasn’t so deadly serious. Every bit of red tape we create ties up valuable law enforcement resources, creates ill will in the community, and ultimately helps terrorists who can easily outmaneuver the desk jockeys.

We see this again and again. All-to-often, the people making “security” decisions are simply not qualified to do so. They don’t understand the even the most fundamental aspects of Risk Assessment and Management. These are bureaucrats flailing about, looking for something they can do which create the Appearance Of Action.

At best, this is what Bruce Schneier refers to as, “Security Theater,” security measures which look good to the uninformed but don’t actually help security. The example he gives was the presence of armed troops at airport metal detectors in the months immediately following 9/11. It made people think that “something was being done.” It didn’t actually increase security, however, but that wasn’t the point–its purpose was to make people feel better.

Similarly, security which is either excessively expensive or inconvenient, “excessively” traditionally being defined as, “costing more than the value of the assets it protects,” is Bad Security. This includes not just monetary costs, but any other trade-off’s, as well, such as violations of Civil Rights.

And to make matters worse, feeling safer tends to have a high opportunity cost and may actually leave you less secure. Thus, if you’re going to do something to increase security, you’d better be darn sure it actually does. Otherwise, it could be having the opposite effect.

Hmmm….maybe it’s time to send the Gartner analysts out for some remedial Clue Development courses. According to Computerworld, Gartner says that, “Firefox is sure to be targeted by more malicious code as its market share grows.”

In the meantime, Firefox’s growth may prove to be limited. Individuals are switching to the browser because of the appeal of features such as tabbed browsing, integrated search, better standards support, and easy installation and removal, Gartner said. The browser’s design — without ActiveX or deep hooks into the operating system — also makes security flaws less serious and patches easier to test and apply.

Let me get this straight…Firefox is better on features, better on standards, better on security, better on support, but don’t switch, because six months from now, it could begin to experience a fraction of the problems that plague the leader (IE) today?

This paragraph doesn’t even make sense! As a general rule, in essay writing, your facts should support your thesis. If Gartner’s facts don’t support their thesis, then they should probably reconsider their assumptions. But that’s just me, a no-name security guy, rather than a big-name analyst.

*grumble*

Yes, largely, I’m preaching to the choir here–Internet Explorer only has 48% share of my site’s traffic and a 70% Windows proportion for Operating System.

You don’t have Rights if you’re not allowed to exercise them. This is a chilling account by a professional photographer of his experience with the San Francisco Transit Police (BART PD) and San Francisco Police (SFPD). In his own words, when he attempted to shoot some photos of a BART station platform:

… The short version is that The Fare Inspectors tried to prevent me from taking photos under threat of citation. When I refused to stop, they tried to cite me but couldn’t find any relevant code, regulation or law to cite me. Enlisting the aid of the SFPD and BART Police officers also yielded now results. No citation was issued.

He has links to a detailed account in the linked blog posting.

Essentially, what the police told him was, “Just because it’s legal and a Constitution Right doesn’t mean we won’t find some way to arrest you or harass you for attempting to exercise it.” If the only things being done in the name of “security” are Security Theater at best and Illegal Thuggery at worst, then I can’t help but believe that America has lost the utterly mis-named, “War on Terror.”

It’s times like these that I wonder what the future of Security and Risk Management holds. Real security professionals of all stripes (both information and physical) are trained in how to identify the most effective and least intrusive ways to protect assets. Real security people don’t harass people for the crime of knowing and exercising their rights. Whenever I see or hear an account of this sort of official harassment, it makes me sick.

Bruce Schneier has plainly said what I think many of us in the security business believe:

Passwords have reached the end of their useful life. Today, they only work for low-security applications.

This also came up earlier this week in an article, “The Password Is Fayleyure,” which further argues the same point (albeit with a different take on the road ahead). Heck, even Bill Gates even said it back in November, according to Scott Granneman over at SecurityFocus, in case you don’t take my word for it.

The most frustrating part of this mess is that the cost of the technology required to move beyond passwords is now negligable compared to the value of the assets often secured only by a password with the growth of on-line banking, shopping, etc. Unfortunately, the entities that bear the cost of the fraud are usually consumers, who have no ability to drive the adoption of two-factor authentication.

Unfortunately, until the service providers are on the hook if they don’t at least offer strong authentication, they will have no motivation to Do The Right Thing. Personally, I’d prefer to offer the carrot that organizations who adopt are off the hook for liability, but those who don’t are. Two-Factor authentication for Internet-based commerce should be considered a basic standard of Due Care these days.

I’ve seen various discussions which question how practical it would be to carry a wad of key fobs around. Personally, I don’t think should be necessary, I would think that a key fob capable of storing multiple keys would be trivial to implement. Even the ability to share a single fob key among multiple sites would be an improvement, although this still leads to the creation of “sets” of accounts, just as most people now do with password re-use.

Event better would be if I could have a “shared” fob. So long as the vendors used an open, peer-reviewed algorithm, We’d be good-to-go. So why aren’t we?

So I made the #5 entry on a Yahoo Search. For real. Check it out.

Admittedly, it was for “katie couric’s new hairstyle” rather than anything serious. (I did mention it, but only as a joke. Oh, well. Some poor celebrity-obsessed soul got an eyeful about how much risk they unknowingly assumed when they clicked on that link. Serves ‘em right for caring that much about celebrity hair.

I especially love how they blended it with another post to produce the rather sublime summary line, “… The New Yorker really got it wrong when they ran the now-famous cartoon by Peter Steiner which … contemplated whether or not Katie Couric’s new hairstyle makes her look older …”

Screenshot after the jump.

(more…)

So the question just came up on one of my mailing lists as to whether NT 4 is also vulnerable to the items in Microsofts’s February Patchaliciousness. No patches or advisory was provided since it’s now thoroughly de-supported my Microsoft. While this person knew better, I know that there are people out there right now hoping that just because no one told them they’re vulnerable, they’re not.

In response, let me offer this rule of thumb: If the feature existed in Version X, then Version X is probably vulnerable too, supported (tested for the vulnerability and/or patched) or not.

Given the numerous instances of code re-use across versions down in the “plumbing” of large projects like operating systems, application servers, databases, etc., my guess is that NT4 is probably vulnerable as well, although the offsets for the overflow may be a little bit different. If so, working offsets will probably be found and published in short order. Consider the cross-version vulnerabilities of MS04-011, for example.

This is pretty much identical to the Oracle #68 vulnerability from last August. A pre-authentication buffer overflow in the SQLNet database listener affected versions that had been de-supported for years, simply because that code had been re-used without changes across multiple versions of Oracle.

So for anyone out there hoping that just because it wasn’t listed, it’s not vulnerable, I’d like to suggest instead that you hope you get enough time to upgrade or effectively firewall any at-risk NT4 boxen before this turns into something Really Nasty.

Good luck. I hope you don’t need it.

So I get the monthly “Benefits” email in my work inbox just now and open it up to see how HR isn’t going to make my life better this month. One of the “features” they have is about How To Avoid Identity Theft. Hmm, I think, I wonder if this is going to give me anything to rant about? So I click the link and am taken to an external (from work) site which wants me to provide all kinds of Personally Identifying Information to register an account so I can read the article.

Umm…thanks but no thanks. I’ll just continue to try and avoid becoming part of the problem.

According to this news story of a man who’s suing Bank of America after his account was looted after his credentials were stolen by the coreflood virus indicates, the banks aren’t going to tackle this problem on their own. From the news story:

In a letter obtained by the Sun-Sentinel, Richard Heilbron Jr., Bank of America’s assistant general counsel, wrote to Lopez’s attorney on April 21 that the bank was not responsible for the loss because no one hacked into its system to initiate the wire transfer.

In a letter exactly one month later, Heilbron wrote that Parex had told Bank of America that any action to recover the funds would require a request to Latvia’s Office of the Prosecutor for a criminal investigation.

“Since we are not responsible for the fraud and have not ourselves sustained a loss, we are not in a position to make such a request,” Heilbron wrote. In yet another letter in July, Heilbron wrote that Bank of America had no legal recourse against Parex because it was not the victim of the fraud. “We too would like Ahlo Inc. to recover its funds,” he wrote.

I’ll bet B of A would like Ahlo to recover its funds. I’ll bet B of A would also like this whole incident to blow over without any more press coverage. But if they were serious about ending on-line account hijacking, B of A would realize that the increased deployment and support costs of Hard Tokens is a necessary security step.

Even the Federal Deposit Insurance Corporation (FDIC) say Two-Factor authentication is a good idea. They have now published a paper, “Putting an End to Account-Hijacking Identity Theft.”

Their key findings are:

Fraudsters are taking advantage of the reliance on single-factor authentication for remote access to online banking, and the lack of e-mail and Web site authentication, to perpetrate account hijacking. Financial institutions and government should consider a number of steps to reduce online fraud, including:

1. Upgrading existing password-based single-factor customer authentication systems to two-factor authentication.
2. Using scanning software to proactively identify and defend against phishing attacks. The further development and use of fraud detection software to identify account hijacking, similar to existing software that detects credit card fraud, could also help to reduce account hijacking.
3. Strengthening educational programs to help consumers avoid online scams, such as phishing, that can lead to account hijacking and other forms of identity theft and take appropriate action to limit their liability.
4. Placing a continuing emphasis on information sharing among the financial services industry, government, and technology providers.

This sounds pretty familiar when I put it in slightly different wording:
1) Implement real access controls. Passwords alone are a joke. — no surprise there
2) Deploy security monitoring systems — no surprise again
3) Raise Security Awareness — Heard that before, I think
4) Hang together (or hang separately) — Industries that refuse to police themselves tend to get policed.

While I’m still a pretty small minority, I know that if I could choose between a bank which offered two-factor authentication for on-line banking and one that didn’t, I’d choose the the bank with the two-factor product. While I don’t know what level of awareness will be necessary before this is an economically-viable model, I do know that it’s probably inevitable. As other, less-valuable resources increasingly are secured with a second authentication factor, people will begin to question why their bank account is less secure than their email account and vote with their feet. And when that happens, the banks that don’t have a solution in place will pay the price.

I’m tempted to add a new category to my blog just for articles about things as silly as this one on New (Sub)Urbanist. Basically, it says that the image of the centerpiece statue in Chicago’s Millenium Park, commonly referred to as The Bean are copyrighted and may not be taken.

This whole mess seems fundamentally “broken” to me. First, the City of Chicago bought a very shiny new sculpture to put in their shiny new park. But, the story goes, they managed to separate the Image Rights (the copyright) from the sculpture itself. So now I’m to believe the City owns the large piece of metal decorating their park, but not the right to photograph it for commecial purposes–that belongs to the sculptor.

If the City were merely banning all commercial photography of The Bean, that would at least be consistent with their claims of upholding the copyright protections according to the law. Any issues relating to whether the City was smart or dumb in not obtaining those rights is a separate discussion.

But what they’re really doing is forcing commercial photographers to purchase (expensive) permits to take their pictures (and it’s just commercial, according to the original article which is linked from New (Sub)Urbanist above). So is the City forwarding any permit fees they collect on to the rightsholder? If so, how do they determine what proportion of those permit fees go to which sculptor, assuming that more than one is involved?

But if they aren’t forwarding those fees on, then the city is now selling something they don’t own, violating the very copyright license they claim to be enforcing! So which is it? Does the city have a franchise to sell Commercial Photography permits for The Bean or doesn’t it?

Is the City of Chicago merely an especially-inept contract negotiator, or are they also Copyright Scofflaws, as well?

P.S. Boing-Boing is getting in on this bit of silliness, as well.