So over at CoCo, they’re reporting on a suggestion that ISP’s should self-regulate to help the Movie & Music industries better harass sue their customers:

Several of these propositions blatantly violate the privacy protection of users. Advance disclosure of one’s identity to aid copyright enforcement would be a significant weakening of users (defense) rights. The content industry could skip getting a court order to require ISPs to link subscriber’s names to IP addresses.

Furthermore, these are just more examples of a tendency to focus on internet intermediaries for law enforcement. The current restricted liability is subject to renewed scrutiny, and might be widened at the expense of ISPs, or better, its subscribers.

So what the Music & Movie industries are effectively saying is, “Hey, ISP’s. Your customers don’t see the risk of being sued by us for trading files as too great to assume. Will you aggregate their risk for us so it won’t be so expensive to sue individuals and they will thus feel the need to mitigate it by not uploading and downloading?”

Over at FinancialCryptography, IanG had some thoughts on my Skype Risk Notes from yesterday. This was originally my reply to his comments, but it wound up covering enough of the ground that I’d previously left unexplored that I’ve decided to post it here.

As Ian said:

The bottom line was that the risks remain low; although Cubicle didn’t say that. Score 3 points for Jedi Knights of the Crypto Rebellion, taking their score to 4.

I said more about how low risk Skype is to security a while back (click on Jedi above), and stirred up a storm of controversy. That’s because I treat security from a statistical and opportunistic fashion: if it improves the situation then that’s .. an improvement. That’s good, by definition. If it ain’t there, that’s not an improvement, by definition. So if you don’t use a crypto product because it has some unvalidated weakness, then by definition you have reduced your security. That’s bad.

I’ll agree that the current risk of Skype being used as an exploit vector seems to be either low or very low. The big issue at this time is that there a significant unknowns which could change that assessment in the blink of an eye.
(more…)

Solove and Hoofnagle just released Version 2.0 of their paper, “A Model Regime of Privacy Protection.” It adds a significant amount of background covering the the current state of Privacy Law and the Database Industry, summarized as:

Currently, the collection and use of personal data by businesses and the government is spinning out of control. An entire industry devoted primarily to processing and disseminating personal information has arisen, and this industry is not well-regulated. Many companies brokering in data have found ways to avoid being regulated by the Fair Credit Reporting Act (FCRA), a landmark law passed in 1970 to regulate consumer reporting agencies.6 Increasingly, the government is relying on data broker companies to supply personal data for intelligence and law enforcement purposes as well as to analyze it. As a result, the government is navigating around the protections of the Privacy Act,7 a law passed in 1974 to regulate the collection and use of data by government agencies.

(emphasis mine)

As currently regulated, Personal Privacy can be violated with impunity by any number of entities for commercial or criminal gain. Addressing this imbalance will certainly impose additional costs on commercial database brokers. As a result, there are those who argue that it is somehow unfair to limit the freedoms of companies or the State at the cost of the Individual. In my personal opinion, this is fundamentally wrong.

As the Choicepoint Debacle has shown, the risks associated with aggregating and selling personal data have consistently been transferred from the data aggregators onto their subjects. Creating a legal framework which places those risks back onto the entities who would profit from those activities is not only correct but rational. If the cost of mitigating the Risks inherent in these activities exceeds the economic benefit, then the companies should cease to exist to the net benefit of the Greater Good.

When considering the relationship of Government to Privacy, the situation becomes more complex. As is noted in later provisions (12,13,14) of Version 2.0, the potential for error with no current options for redress on the part of the victim create a dangerous imbalance. If I wind up in unjustly imprisoned because of a records error, that’s a much more serious problem than if I’m wrongly denied credit.

Version 2.0 adds significant background on the current privacy landscape, expands its coverage as compared to version 1.0, and provides coverage of the discussion it provoked.

Still, I’ve got a few points that I’d like to see addressed. What else would you expect from me?

This got looooong somehow…
(more…)

I’ve been doing a lot of work with VOIP in my Enterprise lately, so when Skype started turning up on laptops in significant numbers, I guess I became a logical Go-To Guy to look into it. This is a summary of what I’ve pulled together for presentation to senior management. What they do with it, however, is their business. As I’m always quick to point out, I don’t Manage the Risks; I just Assess and Analyze them.

I think that most of the security concerns at this time are more that the Skype organization has been completely unwilling to allow third-party review of their security measures and have even gone so far as to have the application disable itself if certain debuggers (i.e. SoftICE) are even installed on the same machine. The lack of good answers back from the Skype team to Garfinkel (a credible, disinterested party) is also not consistent with the actions of an organization which feels they have nothing to worry about in their crypto implementation.

This behavior is completely inconsistent with the ethos of cryptography in particular and “honest” software vendors in general. When you factor in their association with Kazaa (same company, same network architecture and, from what I’ve read, maybe even the same dev team), the product starts to look worse and worse.

From an end-user perspective, I know a significant number of people who use the application and they all say that it from a functional perspective, it works well–good voice quality and reliability.

Thus, as I currently see it, while we have no known threats immediately identifiable, there are a lot of unknowns and some less-than-encouraging behavior. On the other hand, Skype is seeing a skyrocketing adoption rate with no ill effects documented thus far, so it may be that we’re falsely assuming that paranoia necessarily implies ill intent. To me, this is the worst sort of, “knowing we know nothing.”

Skype was pretty easy to get a handle on. I was already pretty familiar with it from reading “An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol” by Salman A. Baset and Henning Schulzrinne when it came out and have following some interesting discussions on it in the past month or so. Throw in the fact that I’m far from the first person to take a look at it and this became more of a documentation project than an actual research effort.

(more…)

Adam Shostack over at Emergent Chaos hooked me up with this blog*on*ynmity posting about the US Federal Government’s plan to begin amassing a serious set of Personal Data on every college student in America.

From the Federal Computing Article:

The proposed database would provide individually identifiable student information, including names, Social Security numbers, number of courses taken and credits earned, degrees completed, and actual education costs.

…

According to the study, federal officials and lawmakers need the database of student records to obtain more accurate measures of institutional accountability and program effectiveness. It states that the proposed database would help policy-makers calculate, for example, the net price of college education and to monitor in real time federal student aid programs, such as Pell grants, and variations in aid packaging.

Personally, I smell a rat. If they really just want to do reporting on program effectiveness and pricing analysys, then they don’t need actual names or social security numbers, merely unique-ish keys, like an MD5 or SHA-256 hash of those values (we’re not worried about collisions here, only irreversibility). “28b6e94d3ae824f599908ae125a3935d” is just as good a unique identifier as “123-45-6789″ in the eyes of a relational database and it’s a whole lot harder to use an md5 hash to invade someone’s privacy. This is yet another perfect example of a need for a translucent database.

While I’m not normally one to ascribe malicious intent when mere stupidily suffices, I’ve seen some previous rumblings (which I can’t find at this moment for a link) about this database being a precursor to identifying eligable draftees for the US Army. It could also be that the decisionmakers on this effort are so naive as to think that a law against stealing their data will stop thieves.

Of course, it would still be trivial to back out eligible draftees since the Army would also be able to hash SSN’s to help find the people of interest, it would just be a little more work. Still, it would eliminate a big fat opportunity for Bad Things to happen to college students. Of course, if the goal is to identify people to send off to die somewhere, I guess you’re not too concerned about a little identity theft Fraud-by-Impersonation against them.

So, take your pick…unnecessary assumption of Risk on others’ behalf or evil intent.

In a classic example of poor Risk Management causing what should have been a minor decision to blow up horribly in people’s faces, it came out late last week that Wordpress has been funding some of its activities in a pretty dumb way.

Was this mess avoidable? Of course. A decision had to be made and a well-intentioned person chose the wrong path. Had Matt considered the risks, I believe that he would have chosen differently, as the Three-and-a-Half Question Model will show.
(more…)

Over at Perilocity today, John Quarterman has an nice posting on Examining Presuppositions and how a failure to do so can produce extinction.

He talks first about an example from Jared Diamond’s new book, then draws some parallels to the state of Corporate Risk Management today.
(more…)

I loved this article, “VoIP to Open Door for Flood of Overseas Telemarketing,” in the same way that I love good science fiction. All you need to do is accept (willingly suspend disbelief) a handful of fictions and suddenly an entirely unexpected but completely plausible story breaks out.
(more…)

KasLog has set the record straight with regards to his comment spam actions. He’s not going ballistic on comment spam after all:

No, my plan is not to build a comment spam killer for WordPress, but rather to document my thinking about the licensing terms for a project I’m working on.

The reason I mentioned the comment spam fix was to illustrate one of the great things about Open Source, namely the ability to make a quick change to the source, to solve a specific problem; something that’s pretty much out of the question with closed source commercial products.

Sorry for the confusion.

Sure I’m disappointed, but more in a “that would have been fun to watch” than a “I thought you were going to magically solve the comment spam problem” kind of way.

…and none of what you hear.”

–Lou Reed, “New York”

(more…)