NSL: Internet Archive Exposes Lack of Security in National Security Letters

The Internet Archive has for a decade been a cornerstone of the Internet, and the FBI was foolish to try to break it:

The FBI has withdrawn an illegal National Security Letter seeking information from an online library and has lifted a gag order that until Wednesday prevented any discussion of the information request.

Lawyers from the American Civil Liberties Union and Electronic Frontier Foundation helped the Internet Archive push back against what they say was an overly broad and unlawful request for information on one of its users. The FBI issued its National Security Letter in November, but ACLU, EFF and Archive officials were precluded from discussing it with anyone because of a gag order they say was unconstitutional.

After nearly five months of haggling, the FBI eventually withdrew its NSL, which requested personal information about at least one user of the Internet Archive. Founded in 1996, the archive is recognized as a library by the state of California, and its collections include billions of Web records, documents, music and movies.

— Watchdogs prompt FBI to withdraw 'unconstitutional' National Security Letter, Nick Juliano, therawstory, Published: Wednesday May 7, 2008

The article goes on to say that the FBI has issued 200,000 National Security Letters, that almost none of those NSL have been challenged, yet every single time someone has challenged an NSL in court, the FBI has withdrawn it.

How do these NSL represent "Security"?

In any case, National Security Letters were authorized by the mis-named Patriot Act. Brewster Kahle has shown us how a real patriot acts:

Class Action Coming for Identity Theft?

It wouldn't be a moment too soon:

I painfully predicted a few years back that phishing and related identity theft would result in class action suits. I lost my bet as it didn't happen fast enough, but a significant step has been taken (reported by Lynn) with the publication of a book that apparently blames the banks and the software manufacturers for identity theft.

— Signs of Liability: 'Zero Day Threat' blames IT and Security industry, Ian Grigg, Financial Cryptography, April 14, 2008

The book review iang quotes gets it about online crime not being amateur anymore: it's organized. And it gets it about perhaps a more important point:

OK Leaks Tens of Thousands of SSNs for Years

You'd think they'd know better:

One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back.

The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years.

— Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data, by Alex Papadimoulis in Feature Articles, The Daily WTF, 2008-04-15

But the best part is what it took to get the state to fix it:

Auditing Georgia Government Security

Georgia's governor wants to standardize information security reporting across the entire state government:

The Executive Order calls for a single set of information security reporting standards for all agencies to follow. Currently, state agencies use a variety of reporting standards, making it difficult to measure information security across state government or to track progress from year to year.

Governor Perdue has directed the Georgia Technology Authority (GTA) to work with the Georgia Department of Audits and Accounts and the Governor's Office of Planning and Budget to develop a reporting format and required content for agency information security reports. Each agency will be responsible for reporting to GTA at the end of the fiscal year. GTA will compile agency reports into a single Enterprise Information Security Report, available by October 31 of each year.

— Gov. Perdue Signs Executive Order Strengthening Georgia's Information Technology Security, News Report, Government Technology, Mar 20, 2008

I think this is a good move. Now how about monthly reporting in a publicly visible web page.

-jsq

New School: New Book by Adam Shostack

Adam Shostack, whose group blog Emergent Chaos I quote frequently in this blog, has a new book coming out with co-author Andrew Stewart: New School of Information Security.

We think there's an emerging way of approaching the world, which we call the New School.

We start with a look at some persistent issues like spam and identity theft. From there, we look at why the information security industry hasn't just fixed them, and some of the data sources which we rely on and how poor they are. We then look at some new source of data, and new ways of interpreting them, and close with some very practical steps that any individual or organization can take to make things better.

— The New School of Information Security, Adam Shostack, Emergent Chaos, 10 March 2008

I haven't read the book yet, since it's not published yet, but if it's like the material he posts in his blog, it's a good thing.

One of his commenters doesn't get it:

Availability Is Not Security If an Abandoned Sea Anchor Cut the Cable?

I see in some fora people are still arguing that security involves countering malicious actors, and availability alone is not security, even if people are depending on availabity.

Were all those recent cable cuts in the Med. and the Persian Gulf not security issues, even though some of the affected companies are now planning to spend $300-400m on physical security to fix the problem?

If the culprit had been a Russian mobster or Al Qaeda or the CIA rather than (in one case) an abandoned ship anchor, then it would have been security, but now it's not?

-jsq

Publicity about Internal Fraud: Still an Issue after 30 Years

Adam quotes a 30 year old book about computer security and notes that the IRS then and now doesn't adequately protect taxpayers' information and promises to do better. His quote that I like best, though is:

Top management people in large corporations fear that publicity about internal fraud could well affect their companies' trading positions on the stock market, hold the corporation up to public ridicule, and cause all sorts of turmoil... (Computer Capers, page 72)

— Computer Capers: Tales of electronic thievery, embezzlement, and fraud, by Thomas Whiteside, Ty Crowell Co., 1978

That's why corporations fear a breach reporting reputation system. That's also why we need one.

-jsq ~

Canadian Breach Reporting

Michael Geist's top tech law issue for Canada for 2008 is:

Security Breach Reporting Rules Are Introduced. Scarcely a week went by last year without a report of a security breach that placed the personal data of thousands of Canadians at risk. Last spring, a House of Commons committee acknowledged that the country needs mandatory security breach disclosure legislation that would require organizations to advise Canadians when they have been victimized by a breach.  A public consultation on the issue concludes next week and new regulations will be introduced before the summer.

— Eight Tech Law Issues To Watch in 2008, Michael Geist, Tuesday January 08, 2008

That would be a good thing.

-jsq

Traffic Control Viewed as ISP Risk

Certain ISPs plan to spend a lot of money throttling, stifling, policing copyrights, campaigning and lobbying to control content of information flow through their networks. They might want to look at what's happening in China:

Beijing has recently added a new weapon to its arsenal of surveillance technologies, a system it believes to be a modern marvel: the Golden Shield. It took eight years and $700 million to build, and its mission is to "purify" the Internet — an apparently urgent task. "Whether we can cope with the Internet is a matter that affects the development of socialist culture, the security of information, and the stability of the state," President Hu Jintao said in January.

The Golden Shield — the latest addition to what is widely referred to as the Great Firewall of China — was supposed to monitor, filter, and block sensitive online content. But only a year after completion, it already looks doomed to fail. True, surveillance remains widespread, and outspoken dissidents are punished harshly. But my experience as a correspondent in China for seven years suggests that the country's stranglehold on the communications of its citizens is slipping: Bloggers and other Web sources are rapidly supplanting Communist-controlled news outlets. Cyberprotests have managed to bring about an important constitutional change. And ordinary Chinese citizens can circumvent the Great Firewall and evade other forms of police observation with surprising ease. If they know how.

— The Great Firewall: China's Misguided — and Futile — Attempt to Control What Happens Online, By Oliver August, WIRED MAGAZINE: ISSUE 15.11, 10.23.07 | 12:00 AM

And if they don't know how, that article provides tips.

Breached Party: Labour Loses Confidence Due to Lack of Breach Security

The U.K. Revenue ministry has been leaking massive amounts of personal information, and now it's affected the ruling party:

The Government will face fresh questions over the loss of millions of voters' personal data amid evidence the debacle has helped fuel a massive slump in public confidence.

One poll showed those backing Labour's ability to handle economic problems had been more than halved to 28%, with just a quarter deeming Gordon Brown's administration "competent and capable".

And another gave the Tories a nine-point overall lead, its strongest position for 15 years, just weeks after Labour enjoyed an 11-point advantage in the same poll.

— Confidence in Labour 'plummets', Press Association, Guardian Unlimited, Friday November 23, 2007 7:03 AM

A government in risk of falling due to lack of breach security and perceived lack of technical confidence might be what it takes to get governments and industry to take breach security seriously. For example by requiring breach reporting.

-jsq