It’s Computer Security Awareness Day! The day when security professionals are supposed to hand out tchotchkes to their co-workers as if that will make them stop doing stupid things with their computers.

Personally, I’m emailing everyone I know this really cool “security day” screensaver I found on some Russian Web site.

According to a New York Times article, Security Flaw Allows Wiretaps to Be Evaded, Study Finds (full text from Interesting People mailing list, too),

The technology used for decades by law enforcement agents to wiretap telephones has a security flaw that allows the person being wiretapped to stop the recorder remotely, according to research by computer security experts who studied the system. It is also possible to falsify the numbers dialed, they said.

Someone being wiretapped can easily employ these “devastating countermeasures” with off-the-shelf equipment, said the lead researcher, Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania.

“This has implications not only for the accuracy of the intelligence that can be obtained from these taps, but also for the acceptability and weight of legal evidence derived from it,” Mr. Blaze and his colleagues wrote in a paper that will be published today in Security & Privacy, a journal of the Institute of Electrical and Electronics Engineers.

A spokeswoman for the F.B.I. said “we’re aware of the possibility” that older wiretap systems may be foiled through the techniques described in the paper. Catherine Milhoan, the spokeswoman, said after consulting with bureau wiretap experts that the vulnerability existed in only about 10 percent of state and federal wiretaps today.

“It is not considered an issue within the F.B.I.,” Ms. Milhoan said.

I’m with the FBI on this one. This is a non-issue.

According to the research paper the story is based on, a person with the appropriate technology can disable some wiretapping systems. Mafia cypherpunk “Little Nikki” Scarfo notwithstanding, the people who traditionally are the targets of wiretaps (organized crime) are not the most technical of folks. They’re not stupid, however.

If someone suspects they are being wiretapped, they’re not going to try to mitigate the risk by implementing technology which only works some of the time. A countermeasure that’s less than 100% effective is completely useless when the cost of a breach is 10 to 20 with time off for good behavior.

Instead, they’re going to avoid the risk by shifting their communications to alternate, secure channels such as face-to-face meetings, messages hand-carried by trusted intermediaries, or even carrier pigeons.

This isn’t necessarily Mafia-specific, but since wiretaps have been used primarily as a law enforcement tool against organized crime, I limit my analysis to the mafioso’s perspective. While telephone intercepts have been used in some counter-terror operations overseas, but I couldn’t find any on-line evidence of their successful use in the United States.

Whenever I head over to China, my wife asks me if I’ll pick her up a new purse. Black ones during the winter, white or brightly-colored ones in the spring and summer. It’s a fashion thing and I don’t pretend to understand it. I just know that I’m supposed to pick up a purse for her just like I’m supposed to bring a stuffed animal home to my daughter. So more often than not, I head to one of the many multi-level half-mall, half-flea-markets in central Beijing where vendors aggressively push their counterfeit goods on anyone who walks past their booth.

If you need a watch, they’ve got Rolexes, Tag-Heuers, and Patek-Philipes. They might even keep time. If you need a purse, they’ve got Prada, Coach, Fendi, Louis-Vitton, and more. Some of them are even leather. The same goes for North Face jackets and backpacks, Nike shirts and shoes, or pretty much any other brand you can name. If they don’t have it in one stall, just walk next door and you’ll probably be in luck. None of them are real, of course, but they’re so cheap, you don’t care. The sport is in finding the better fakes and then bargaining for them.

Whenever I go, these places are packed with both tourists from around the globe as well as locals who want the latest styles but can’t afford to drop a month’s rent for a nice handbag.

This week, though, I noticed something different. None of the purses displayed on the vendors’ tables had any labels on them. The bags were the same. The exact same “Prada” purse that I brought home last time was even there, just missing its distinctive triangular badge.

“No Prada’s today?” I asked the girl at the stall where I recognized the de-badged version of my wife’s summer purse.

“We have it,” the girl replied. She pointed to a row of purses. “We have these all Prada.”

“There’s no label on it.”

She looked at me hard for a second, then said, “We have it with label.” She pulled another purse out from under the counter. It was the same bag I was holding, only with the familiar “Prada” triangle affixed to it.

“Why was it under the table?” I asked her.

“Because of Bush and trade summit, they’re having crackdown on fakes. No fakes allowed this week. You come back next week, all will be normal again.”

I have no doubt she’s right. According to year-old rehash of a two-year-old story, 60 Minutes, “15-20% of all the goods in China are counterfeit.”

I my case, I know it’s not real (nor, for the equivilent of $12 US, would I expect it to be) and the bag I eventually buy will be both cheaper and, to be honest, of better quality than a cheap handbag back in the states. I don’t care if it says Prada on it or not–it’s easier for me to purchase a fake Prada than a real non-Prada over here. As a 2003 story in the Economist points out, part of the problem was created by the same companies that now suffer the most due to consumer goods counterfeiting:

Since the 1970s, technological advances have taken much of the skill out of manufacturing. This has allowed big business to move its manufacturing base to poor countries to take advantage of low labour costs. Unfortunately, many of these businesses paid insufficient attention to the sort of intellectual-property rights (IPR) on offer in such places. Now they are paying the price.

…

Counterfeiting is as diverse as any legal business, ranging from back-street sweatshops to full-scale factories. Counterfeiters often get their goods by bribing employees in a company with a valuable brand to hand over manufacturing moulds or master discs for them to copy. One of the most infuriating problems for brand owners is when their licensed suppliers and manufacturers “over-run” production lines without permission and then sell the extra goods on the side.

The Economist also points out that this problem is not unique to China, either.

China is by no means the only big exporter of counterfeits. In its annual “Special 301” review, published earlier this month, the office of the US trade representative (USTR) fingered more than 30 countries as counterfeiting and piracy hotspots. Ukraine, for example, is awash in bootleg optical discs; Russia is running on counterfeit software; while Paraguay is rolling in imitation cigarettes. The USTR reckons that American industries lose $200 billion-250 billion a year to counterfeiting.

What I don’t know is how much of that $200b is actual losses, I tend to think it includes theoretical losses which count counterfeit sales as a “lost” sales of the actual product, whether the purchaser would have bought the real good or not. If this were true, then China would be Rolex’s top market, a fairly impressive title for a country whose per-capita GDP is only $5,600 per year.

Or consider my wife’s new purse. Is this costing Prada a sale? Of course not. I don’t have $500 lying around for my wife to spend on a purse and I make a lot more than China’s per-capita GDP of $5,600/year. It might be costing Target a sale, but since their purses come from China anyway, all I’m really doing is saving a few dollars and cutting out the middleman. Maybe the $200b is the value of counterfeit goods in the supply chain being sold (and priced) as actual goods, but I find that hard to believe, too.

Let’s run some numbers, ignoring whether the data is from 2003 or 2004 to make my life easier. China’s 2004 GDP was $7.262 trillion. If 10% of their goods are, in fact, fakes, then that’s $726 billion in fake watches, purses, drugs, golf clubs, motorcyles, phones, CD’s etc, etc, etc. According to the Economist article, China produces just under 50% of the world’s counterfeit goods. That therefore would imply that the world’s total pool of counterfeit goods last year was $1.5 trillion. That’s a lot of fake handbags.

Unfortunately, though, it’s not just fake handbags and watches. Counterfeit drugs cause multiple deaths every year and counterfeit aircraft parts are believed to have caused the crash of an American Airlines jet a few years ago.

I’m probably asking for trouble saying this, but I would argue that there’s a big difference between me knowingly buying my wife a purse which happens to say Prada on it (at least until the badge falls off) and counterfeit drugs or aircraft parts being sold as legitimate goods. If I want to buy a real Prada bag, I’m not going to go to a Chinese market. I’m going to go to the Prada store or a reputable retailer like Neiman Marcus. That is my mechanism for properly authenticating the seller as legitimate.

In the case of drugs or mechanical parts, there are so many different vendors and middlemen in the supply chain that it becomes nearly impossible to authenticate the goods without a security mechanism like RFID. In my opinion, this is one of the better proposed uses of RFID Tags. The authenticity of high-value, easily-counterfeited products like pharmaceuticals can now be reasonably assured while increasing both supply chain efficiency and product safety. If properly implemented, RFID’s provide a nearly unbeatable countermeasure against forgery so I don’t have to worry about the tail falling off my plane on the flight home.

What it comes down to, however, is that manufacturers ignored a key risk that came with outsourcing manufacturing and now both they and the public-at-large are paying the price. Would maufacturers have made the same decision had they considered counterfeiting risk when evaulating off-shoring production? Probably, but it’s too late to put the genie back in the bottle now.

I learned a lot while writing and researching this post, both about the global counterfeiting problem as well as about my own attitudes toward it. If things seem a bit choppy, blame it on the rewrites and the jetlag.

This was just posted to the Full Disclosure security mailing list.

I’ve recently started using the highlight feature in evolution to apply colours to incoming mail where the ’sender’ matches certain criteria - doing this lets me assign a pleasant (but obvious) colour to people I know and/or whose postings are interesting (respectively red and redorange), and a vile colour to those whose postings are silly/downright stupid (respectively forest green and lime green).

Doing this, I’ve found, gives me a great indicator as to the qualities of a thread - a large amount of either colour clearly indicates the general tone of the thread (and a large amount of both tends to indicate a ‘hot topic’). Suffice it to say that unless looking for a comedy moment in my afternoon, I tend to ignore those putrid green threads and head straight for a red.

So simple, so elegant. I’m definitely going to try it.

While reading about the recent attempted pirate attack on a cruise ship that has drawn sudden attention to the long-standing but little-known issue of piracy in the modern shipping trade (It’s interesting reading, but only Part III is specifically about piracy), I found this chock-full-of-statistics but much shorter article.

It raises an interesting point:

…there is very little financial incentive for both governments and shippers to deal with this crime. Piracy is costing shippers $.32 for every $10,000 of goods shipped estimates David N. Kellerman of Maritime Security. Not only is the economic cost inconsequential to companies, so it is to some governments.

Sound familiar? If I’m the corporate owner, the cost is inconsequential. If I’m a sailor on one of these ships, though, the cost is a little more significant:

Merely one year before, in September of 1998, a smaller Japanese-owned freighter named the Tenyu had gone missing soon after departing from the same port of Kuala Tanjung with a similar load of aluminum, and a crew of fifteen. Three months later the Tenyu was discovered under a changed name and flag in a Chinese port, but the cargo was missing, as was the original crew, all of whom are presumed to have been killed.

Ship owners can transfer the risk of Piracy with insurance, but sailors only have two options. They can either avoid the risk by finding a new vocation (avoiding working on vessels which travel through pirate-prone regions is not really an option for crew members) or hope that the shipowners mitigate it by implementing anti-piracy safeguards such as anti-boarding defenses or armed guards, at least for passing through piracy-prone areas.

So what can be done? According to The Asia Research Center at Murdoch University, not much.

a number of companies offer armed escort vessels for shipping in high risk areas and piracy hotspots, such as the Malacca Straits. However, the publication of a handful of newspaper articles in the Straits Times, describing these services (Boey 2005: 3; Sua 2005: H4-5) sparked an outcry from Malaysian and Indonesian authorities. Both countries rejected the employment of private armed escorts, with the Malaysian Director of Internal Security and Public Order, Datuk Othman Talib, warning that any such vessel found in Malaysian waters would be detained, and the crew arrested and categorised as terrorists or mercenaries. They would then be charged under the Internal Security Act. He also pointed out that any PSC wishing to operate in Malaysian waters has to apply for a permit from the Ministry of Internal Security (Marinelog.com 2005; Bloomberg.com 2005).

…

PSCs [Private Security Companies] also have to compete with local authorities and institutions like the IMB´s Piracy Reporting Centre (PRC) for contracts. While a number of government offices, NGOs and other institutions offer political risk analysis, the IMB also regularly publishes reports on piracy and armed robbery at sea (Zou 1998: 13). Furthermore, it has a proven track record of successfully assisting victims in the recovery of hijacked vessels and stolen cargo.22 The IMB has also the advantage of providing these services most likely substantially cheaper than private companies.

For the shipowner, the dollar cost is acceptable…so long as the value of the crew is zero or close to zero.

The real irony, though, is that efforts by potential victims prevent seaborne lawlessness are hampered legally by many of the same governments who are failing to prevent seaborne lawlessness.

Finally, by reducing the expected cost of an incident, the IMB reduces the likelihood that shipowners will bring economic or political pressure to bear to create a climate where meaningful anti-piracy countermeasures can be implemented.

Update: This is not to imply that PSC’s don’t provide significant numbers of armed guards aboard ships. I realized that my excerpting implied a lack of self-defense efforts in my original post. Most shipowners accept/ignore the risk to their crews and focus solely on optimizing their financial risks unless the likelihood of an incident is extremely high or the boat is owner-operated (e.g. some Tuna boats fishing off the Philippines).

Read the Asia Research Center paper in its entirety for the best summary of the state of maritime security.

This is the sort of thing that has been sucking up all my mental energy of late. Attending meetings with subjects like

Clarification of funds that are NOT available for this year and NOT in the budget for next year.

Wish me luck.